|
 |
483b06 |
From eb9d14debc4276f422ae55d141e30246d5943067 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
483b06 |
Date: Thu, 30 Mar 2017 08:33:30 +0000
|
|
|
483b06 |
Subject: [PATCH] cert: defer cert-find result post-processing
|
|
|
483b06 |
|
|
|
483b06 |
Rather than post-processing the results of each internal search,
|
|
|
483b06 |
post-process the combined result.
|
|
|
483b06 |
|
|
|
483b06 |
This avoids expensive per-certificate searches when cert-find is executed
|
|
|
483b06 |
with the --all option on certificates which won't even be included in the
|
|
|
483b06 |
combined result.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/6808
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipaserver/plugins/cert.py | 93 +++++++++++++++++++++++++++------------------
|
|
|
483b06 |
ipaserver/plugins/dogtag.py | 10 +++++
|
|
|
483b06 |
2 files changed, 66 insertions(+), 37 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
|
|
483b06 |
index dfc7444ddbf31ac3c194e050af28220fc2a87a92..68402679cf0320e9c664ea89276f6c4332730a15 100644
|
|
|
483b06 |
--- a/ipaserver/plugins/cert.py
|
|
|
483b06 |
+++ b/ipaserver/plugins/cert.py
|
|
|
483b06 |
@@ -162,6 +162,11 @@ def normalize_pkidate(value):
|
|
|
483b06 |
return datetime.datetime.strptime(value, PKIDATE_FORMAT)
|
|
|
483b06 |
|
|
|
483b06 |
|
|
|
483b06 |
+def convert_pkidatetime(value):
|
|
|
483b06 |
+ value = datetime.datetime.fromtimestamp(int(value) // 1000)
|
|
|
483b06 |
+ return x509.format_datetime(value)
|
|
|
483b06 |
+
|
|
|
483b06 |
+
|
|
|
483b06 |
def validate_csr(ugettext, csr):
|
|
|
483b06 |
"""
|
|
|
483b06 |
Ensure the CSR is base64-encoded and can be decoded by our PKCS#10
|
|
|
483b06 |
@@ -1296,18 +1301,7 @@ class cert_find(Search, CertMethod):
|
|
|
483b06 |
|
|
|
483b06 |
return (DN(cert_obj.issuer), cert_obj.serial_number)
|
|
|
483b06 |
|
|
|
483b06 |
- def _get_cert_obj(self, cert, all, raw, pkey_only):
|
|
|
483b06 |
- obj = {'certificate': base64.b64encode(cert).decode('ascii')}
|
|
|
483b06 |
-
|
|
|
483b06 |
- full = not pkey_only and all
|
|
|
483b06 |
- if not raw:
|
|
|
483b06 |
- self.obj._parse(obj, full)
|
|
|
483b06 |
- if not full:
|
|
|
483b06 |
- del obj['certificate']
|
|
|
483b06 |
-
|
|
|
483b06 |
- return obj
|
|
|
483b06 |
-
|
|
|
483b06 |
- def _cert_search(self, all, raw, pkey_only, **options):
|
|
|
483b06 |
+ def _cert_search(self, pkey_only, **options):
|
|
|
483b06 |
result = collections.OrderedDict()
|
|
|
483b06 |
|
|
|
483b06 |
try:
|
|
|
483b06 |
@@ -1316,15 +1310,19 @@ class cert_find(Search, CertMethod):
|
|
|
483b06 |
return result, False, False
|
|
|
483b06 |
|
|
|
483b06 |
try:
|
|
|
483b06 |
- key = self._get_cert_key(cert)
|
|
|
483b06 |
+ issuer, serial_number = self._get_cert_key(cert)
|
|
|
483b06 |
except ValueError:
|
|
|
483b06 |
return result, True, True
|
|
|
483b06 |
|
|
|
483b06 |
- result[key] = self._get_cert_obj(cert, all, raw, pkey_only)
|
|
|
483b06 |
+ obj = {'serial_number': serial_number}
|
|
|
483b06 |
+ if not pkey_only:
|
|
|
483b06 |
+ obj['certificate'] = base64.b64encode(cert).decode('ascii')
|
|
|
483b06 |
+
|
|
|
483b06 |
+ result[issuer, serial_number] = obj
|
|
|
483b06 |
|
|
|
483b06 |
return result, False, True
|
|
|
483b06 |
|
|
|
483b06 |
- def _ca_search(self, all, raw, pkey_only, exactly, **options):
|
|
|
483b06 |
+ def _ca_search(self, raw, pkey_only, exactly, **options):
|
|
|
483b06 |
ra_options = {}
|
|
|
483b06 |
for name in ('revocation_reason',
|
|
|
483b06 |
'issuer',
|
|
|
483b06 |
@@ -1357,7 +1355,6 @@ class cert_find(Search, CertMethod):
|
|
|
483b06 |
return result, False, complete
|
|
|
483b06 |
|
|
|
483b06 |
ca_objs = self.api.Command.ca_find(
|
|
|
483b06 |
- all=all,
|
|
|
483b06 |
timelimit=0,
|
|
|
483b06 |
sizelimit=0,
|
|
|
483b06 |
)['result']
|
|
|
483b06 |
@@ -1377,24 +1374,16 @@ class cert_find(Search, CertMethod):
|
|
|
483b06 |
obj = {'serial_number': serial_number}
|
|
|
483b06 |
else:
|
|
|
483b06 |
obj = ra_obj
|
|
|
483b06 |
- if all:
|
|
|
483b06 |
- obj.update(ra.get_certificate(str(serial_number)))
|
|
|
483b06 |
|
|
|
483b06 |
if not raw:
|
|
|
483b06 |
obj['issuer'] = issuer
|
|
|
483b06 |
obj['subject'] = DN(ra_obj['subject'])
|
|
|
483b06 |
+ obj['valid_not_before'] = (
|
|
|
483b06 |
+ convert_pkidatetime(obj['valid_not_before']))
|
|
|
483b06 |
+ obj['valid_not_after'] = (
|
|
|
483b06 |
+ convert_pkidatetime(obj['valid_not_after']))
|
|
|
483b06 |
obj['revoked'] = (
|
|
|
483b06 |
ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED'))
|
|
|
483b06 |
- if all:
|
|
|
483b06 |
- obj['certificate'] = (
|
|
|
483b06 |
- obj['certificate'].replace('\r\n', ''))
|
|
|
483b06 |
- self.obj._parse(obj)
|
|
|
483b06 |
-
|
|
|
483b06 |
- if 'certificate_chain' in ca_obj:
|
|
|
483b06 |
- cert = x509.load_certificate(obj['certificate'])
|
|
|
483b06 |
- cert_der = cert.public_bytes(serialization.Encoding.DER)
|
|
|
483b06 |
- obj['certificate_chain'] = (
|
|
|
483b06 |
- [cert_der] + ca_obj['certificate_chain'])
|
|
|
483b06 |
|
|
|
483b06 |
obj['cacn'] = ca_obj['cn'][0]
|
|
|
483b06 |
|
|
|
483b06 |
@@ -1402,7 +1391,7 @@ class cert_find(Search, CertMethod):
|
|
|
483b06 |
|
|
|
483b06 |
return result, False, complete
|
|
|
483b06 |
|
|
|
483b06 |
- def _ldap_search(self, all, raw, pkey_only, no_members, **options):
|
|
|
483b06 |
+ def _ldap_search(self, all, pkey_only, no_members, **options):
|
|
|
483b06 |
ldap = self.api.Backend.ldap2
|
|
|
483b06 |
|
|
|
483b06 |
filters = []
|
|
|
483b06 |
@@ -1461,26 +1450,25 @@ class cert_find(Search, CertMethod):
|
|
|
483b06 |
for attr in ('usercertificate', 'usercertificate;binary'):
|
|
|
483b06 |
for cert in entry.get(attr, []):
|
|
|
483b06 |
try:
|
|
|
483b06 |
- key = self._get_cert_key(cert)
|
|
|
483b06 |
+ issuer, serial_number = self._get_cert_key(cert)
|
|
|
483b06 |
except ValueError:
|
|
|
483b06 |
truncated = True
|
|
|
483b06 |
continue
|
|
|
483b06 |
|
|
|
483b06 |
try:
|
|
|
483b06 |
- obj = result[key]
|
|
|
483b06 |
+ obj = result[issuer, serial_number]
|
|
|
483b06 |
except KeyError:
|
|
|
483b06 |
- obj = self._get_cert_obj(cert, all, raw, pkey_only)
|
|
|
483b06 |
- result[key] = obj
|
|
|
483b06 |
+ obj = {'serial_number': serial_number}
|
|
|
483b06 |
+ if not pkey_only and all:
|
|
|
483b06 |
+ obj['certificate'] = (
|
|
|
483b06 |
+ base64.b64encode(cert).decode('ascii'))
|
|
|
483b06 |
+ result[issuer, serial_number] = obj
|
|
|
483b06 |
|
|
|
483b06 |
if not pkey_only and (all or not no_members):
|
|
|
483b06 |
owners = obj.setdefault('owner', [])
|
|
|
483b06 |
if entry.dn not in owners:
|
|
|
483b06 |
owners.append(entry.dn)
|
|
|
483b06 |
|
|
|
483b06 |
- if not raw:
|
|
|
483b06 |
- for obj in six.itervalues(result):
|
|
|
483b06 |
- self.obj._fill_owners(obj)
|
|
|
483b06 |
-
|
|
|
483b06 |
return result, truncated, complete
|
|
|
483b06 |
|
|
|
483b06 |
def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
|
|
|
483b06 |
@@ -1537,6 +1525,37 @@ class cert_find(Search, CertMethod):
|
|
|
483b06 |
truncated = truncated or sub_truncated
|
|
|
483b06 |
complete = complete or sub_complete
|
|
|
483b06 |
|
|
|
483b06 |
+ if not pkey_only:
|
|
|
483b06 |
+ ca_objs = {}
|
|
|
483b06 |
+ ra = self.api.Backend.ra
|
|
|
483b06 |
+
|
|
|
483b06 |
+ for key, obj in six.iteritems(result):
|
|
|
483b06 |
+ if all and 'cacn' in obj:
|
|
|
483b06 |
+ _issuer, serial_number = key
|
|
|
483b06 |
+ cacn = obj['cacn']
|
|
|
483b06 |
+
|
|
|
483b06 |
+ try:
|
|
|
483b06 |
+ ca_obj = ca_objs[cacn]
|
|
|
483b06 |
+ except KeyError:
|
|
|
483b06 |
+ ca_obj = ca_objs[cacn] = (
|
|
|
483b06 |
+ self.api.Command.ca_show(cacn, all=True)['result'])
|
|
|
483b06 |
+
|
|
|
483b06 |
+ obj.update(ra.get_certificate(str(serial_number)))
|
|
|
483b06 |
+ if not raw:
|
|
|
483b06 |
+ obj['certificate'] = (
|
|
|
483b06 |
+ obj['certificate'].replace('\r\n', ''))
|
|
|
483b06 |
+
|
|
|
483b06 |
+ if 'certificate_chain' in ca_obj:
|
|
|
483b06 |
+ cert = x509.load_certificate(obj['certificate'])
|
|
|
483b06 |
+ cert_der = (
|
|
|
483b06 |
+ cert.public_bytes(serialization.Encoding.DER))
|
|
|
483b06 |
+ obj['certificate_chain'] = (
|
|
|
483b06 |
+ [cert_der] + ca_obj['certificate_chain'])
|
|
|
483b06 |
+
|
|
|
483b06 |
+ if not raw:
|
|
|
483b06 |
+ self.obj._parse(obj, all)
|
|
|
483b06 |
+ self.obj._fill_owners(obj)
|
|
|
483b06 |
+
|
|
|
483b06 |
result = list(six.itervalues(result))
|
|
|
483b06 |
if sizelimit > 0 and len(result) > sizelimit:
|
|
|
483b06 |
if not truncated:
|
|
|
483b06 |
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
|
|
483b06 |
index d1dd707f145e0f58bfa721df55513d46c14358f2..3997531032746a22243a4219250af4172e9ae5b3 100644
|
|
|
483b06 |
--- a/ipaserver/plugins/dogtag.py
|
|
|
483b06 |
+++ b/ipaserver/plugins/dogtag.py
|
|
|
483b06 |
@@ -1945,6 +1945,16 @@ class ra(rabase.rabase, RestClient):
|
|
|
483b06 |
if len(issuer_dn) == 1:
|
|
|
483b06 |
response_request['issuer'] = unicode(issuer_dn[0].text)
|
|
|
483b06 |
|
|
|
483b06 |
+ not_valid_before = cert.xpath('NotValidBefore')
|
|
|
483b06 |
+ if len(not_valid_before) == 1:
|
|
|
483b06 |
+ response_request['valid_not_before'] = (
|
|
|
483b06 |
+ unicode(not_valid_before[0].text))
|
|
|
483b06 |
+
|
|
|
483b06 |
+ not_valid_after = cert.xpath('NotValidAfter')
|
|
|
483b06 |
+ if len(not_valid_after) == 1:
|
|
|
483b06 |
+ response_request['valid_not_after'] = (
|
|
|
483b06 |
+ unicode(not_valid_after[0].text))
|
|
|
483b06 |
+
|
|
|
483b06 |
status = cert.xpath('Status')
|
|
|
483b06 |
if len(status) == 1:
|
|
|
483b06 |
response_request['status'] = unicode(status[0].text)
|
|
|
483b06 |
--
|
|
|
483b06 |
2.12.2
|
|
|
483b06 |
|